Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

J1un7vGf29.exe

PE32+ executable (console) x86-64, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (console) x86-64, for MS Windows
Entropy:	6.423311038978997
Filename:	J1un7vGf29.exe
Filesize:	506368
MD5:	40f68d8b1be0f31f4aaf28dccf2f94cb
SHA1:	f5fbda24294289b81a77c12573ee33cea52ac408
SHA256:	98373f6033f41eff577963ce2a8cde8f09394e63de31c866ef5d265b714a9ed9
SHA512:	1205819096ac09cd4b72071bf263281801810be3384ddea79e1290c572d09aeb44c9975441fe86c2a7c0a99d69381436909c3cd2056ecdaad9bf7860bacee614
SSDEEP:	6144:Fi8fZ/nLeOlMAiyTI+BS6oIC2Dbe/MZWdLpID+RMcA2dHDad2m2+yFMCPaf1:FTfFOf8IyS4LDb6dlIDuzAIOboMCif1
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........V...V...V..._.+.B...PHE.^...PH..v...PH..\...PH..R...PH..P.......A...V...s.......?...9H..T...9H..W...9HG.W...9H..W...RichV..

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Checks if the current process is being debugged	Anti Debugging	Security Software Discovery
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)	Anti Debugging
Contains functionality to create an SMB header	Exploits	Exploitation of Remote Services
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography
Uses taskkill to terminate processes	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Contains functionality for error logging	System Summary
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to import cryptographic keys (often used in ransomware)	Spam, unwanted Advertisements and Ransom Demands	Security Software Discovery Data Encrypted for Impact
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to register its own exception handler	Anti Debugging	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Public key (encryption) found	Cryptography	Security Software Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter Security Software Discovery
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary	Security Software Discovery
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary	Security Software Discovery
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_J1un7vGf29.exe_5cd87136c5f8c6d2a2edad2aab90e620989ace30_5a213bd4_6075f31e-8a75-4958-baa0-25eb9dc96c5d\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_J1un7vGf29.exe_5cd87136c5f8c6d2a2edad2aab90e620989ace30_5a213bd4_6075f31e-8a75-4958-baa0-25eb9dc96c5d\Report.wer
Category:	dropped
Dump:	Report.wer.38.dr
ID:	dr_17
Target ID:	38
Process:	C:\Windows\System32\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.9985976635316371
Encrypted:	false
Ssdeep:	96:ZiFVKm6JsmhL1c7L4faQXIDcQlc6bcEocw3M+HbHg/8BRTf3o8Fa9KUNsPQHdfmO:Y/d6Jz0bfy5jvVmczuiFVZ24lO8L0
Size:	65536
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file has an executable .text section and no other executable section	System Summary
Public key (encryption) found	Cryptography	Archive Collected Data
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD85B.tmp.dmp

Mini DuMP crash report, 14 streams, Sun Oct 20 19:21:15 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERD85B.tmp.dmp
Category:	dropped
Dump:	WERD85B.tmp.dmp.38.dr
ID:	dr_19
Target ID:	38
Process:	C:\Windows\System32\WerFault.exe
Type:	Mini DuMP crash report, 14 streams, Sun Oct 20 19:21:15 2024, 0x1205a4 type
Entropy:	1.653538048175926
Encrypted:	false
Ssdeep:	384:F6JCtgaH20g/fBRuKMsTdpCkOOdiK7ckYjTB5mUuxgF:FPt20KfBRuKMsTdskOOdiNkYJ3
Size:	102636
Whitelisted:	false
Reputation:	timeout

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDB1B.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERDB1B.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WERDB1B.tmp.WERInternalMetadata.xml.38.dr
ID:	dr_20
Target ID:	38
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.71624672543535
Encrypted:	false
Ssdeep:	192:R6l7wVeJMyqt6YEIBiMEODgmfJeprH89bCvVLfCQ/m:R6lXJMHt6YEeDEODgmfJTq5fS
Size:	10136
Whitelisted:	false
Reputation:	timeout

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDB4B.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERDB4B.tmp.xml
Category:	dropped
Dump:	WERDB4B.tmp.xml.38.dr
ID:	dr_21
Target ID:	38
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.463614685231288
Encrypted:	false
Ssdeep:	48:cvIwWl8zskJg771I9B/KWpW8VYFYm8M4J1u3A0FwQyq85BcApbCPXtSbFSbSeBd:uIjfiI7c/r7VVJ1uwwKcQiXtSRoSMd
Size:	4645
Whitelisted:	false
Reputation:	timeout

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.38.dr
ID:	dr_18
Target ID:	38
Process:	C:\Windows\System32\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.421643162156298
Encrypted:	false
Ssdeep:	6144:ESvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnN/0uhiTw:PvloTMW+EZMM6DFyt03w
Size:	1835008
Whitelisted:	false
Reputation:	timeout

\Device\Null

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\Null
Category:	dropped
Dump:	Null.35.dr
ID:	dr_16
Target ID:	35
Process:	C:\Windows\System32\cmd.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.003997527334849
Encrypted:	false
Ssdeep:	3:HnRthLK5a6eCMABe:HRoJPO
Size:	44
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\J1un7vGf29.exe

"C:\Users\user\Desktop\J1un7vGf29.exe"

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\System32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1

C:\Windows\System32\sc.exe

sc stop HTTPDebuggerProSdk

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\System32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1

C:\Windows\System32\sc.exe

sc stop HTTPDebuggerProSdk

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\System32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\System32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1

C:\Windows\System32\sc.exe

sc stop HTTPDebuggerProSdk

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1

C:\Windows\System32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 476 -p 1080 -ip 1080

C:\Windows\System32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1080 -s 996

There are 27 hidden processes, click here to show them.

URLs

Name

Malicious

http://185.101.104.122/plushvcionbronkz.exe

unknown

http://upx.sf.net

unknown

http://185.101.104.122/plushvciforabronkz.exeC:

unknown

http://185.101.104.122/plushvciforabronkz.exe

unknown

https://curl.haxx.se/docs/http-cookies.html

unknown

https://curl.haxx.se/docs/http-cookies.html#

unknown

https://keyauth.win/api/1.2/

unknown

https://keyauth.win/api/1.1/

104.26.0.5

http://185.101.104.122/plushvcionbronkz.exeC:

unknown

https://keyauth.win/api/1.1/emNU

unknown

Domains

Name

Malicious

keyauth.win

104.26.0.5

Details

Name:	keyauth.win
IP:	104.26.0.5
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

241.42.69.40.in-addr.arpa

unknown

IPs

Domain

Country

Malicious

104.26.0.5

keyauth.win

United States

Details

IP:	104.26.0.5
TargetID:	0
Current Path:	C:\Users\user\Desktop\J1un7vGf29.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	keyauth.win

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

127.0.0.1

unknown